Firing from privileged code to non-privileged code

When firing a CustomEvent from privileged code (i.e. an extension) to non-privileged code (i.e. a webpage), you must take security into consideration. Firefox and other Gecko applications restrict an object created in one context from being directly used from another, which will generally automatically prevent security holes, but these restrictions may also prevent your code from running as expected.

When creating a CustomEvent object, you must create the object from the same window as you're going to fire against.

// doc is a reference to the content document
function dispatchCustomEvent(doc) {
// This will not work. CustomEvent will be created from the chrome window and will not be seen by the content.
// var myEvent = new CustomEvent("mytype");
// Create CustomEvent from the content window
var myEvent = doc.defaultView.CustomEvent("mytype");
doc.dispatchEvent(myEvent);
}

The detail attribute of your CustomEvent will be subject to the same restrictions. String and Array values will be readable by the content without restrictions, but custom Objects will not. If using a custom Object, you will need to define the attributes of that object that are readable from the content script using __exposedProps__.